While running a ClickOnce 4.5 application, you may receive the below error message:

Untitled

Once you click on Details… button, it will popup the log file where you can find the below exception:

Following failure messages were detected:
  + Exception reading manifest from file://XXX/ClickOnce/MyApplication.application: the manifest may not be valid or the file could not be opened.
  + Manifest XML signature is not valid.
  + SignatureDescription could not be created for the signature algorithm supplied.

--- Inner Exception ---
  System.Security.Cryptography.CryptographicException
  - SignatureDescription could not be created for the signature algorithm supplied.
  - Source: System.Security
  - Stack trace:
   at System.Security.Cryptography.Xml.SignedXml.CheckSignedInfo(AsymmetricAlgorithm key)
   at System.Security.Cryptography.Xml.SignedXml.CheckSignature(AsymmetricAlgorithm key)
   at System.Security.Cryptography.Xml.SignedXml.CheckSignatureReturningKey(AsymmetricAlgorithm& signingKey)
   at System.Deployment.Internal.CodeSigning.SignedCmiManifest.Verify(CmiManifestVerifyFlags verifyFlags)
   at System.Deployment.Application.Manifest.AssemblyManifest.ValidateSignature(Stream s)

The above issue occurs due to the MyApplication.application file,  the hash for that file was generated using SHA-256 algorithm.  You can find the following tag Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha256" /> in the application manifest file.  For more information, please go through the document: http://msdn.microsoft.com/en-us/library/92f9ye3s.aspx#clickonce

This change is due to the fact that we stopped using legacy certificates as default (SHA-1) in NetFX4.5 to sign manifest and instead, use newer version (SHA-256), which is not recognized by NetFx4.0 runtime. Therefore, while parsing the manifest, 4.0 runtime complains of an invalid manifest. For legacy frameworks, when we try to run a ClickOnce app on a box that does not have targeted runtime, ClickOnce pops up a message to user saying “you need xxxx.xx runtime to run this app”. But starting .NET 4.5, if a 4.5 ClickOnce app is run on the box with only .NET 4.0 installed, the message complains about an invalid manifest. In order to resolve the issue, you must install .Net Framework 4.5 on the target system.

 

Latest Update: Starting with VS 2013 Update 3 RC and the soon-to-be released RTM version of the update, this issue has been resolved.  Namely, even if you are using a SHA256 certificate but targeting a lower version of .NET (e.g., 3.5 or 4.0), the manifest will be generated in such a way that it can still run on down-level .NET versions.